Craft store Michaels may be latest mega-retailer to get hacked

US Secret Service is looking into a potential credit card grab at the chain.

On Saturday, security journalist Brian Krebs reported on what looks to be yet another security breach at a big-name national retailer. This time, the craft store Michaels is in the crosshairs. It seems that after being used at Michaels-owned locations, fraudulent purchases were made on at least “hundreds” of customer cards.

While Michaels has not yet confirmed a data breach, it published a press release (PDF) on Saturday saying “The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.” The US Secret Service has confirmed that it is investigating the matter.

The news of a potential hack follows similar reports starting late November that Target suffered a data breach that lost the credit card numbers of over 40 million customers and the personal information of over 70 million customers. Earlier this month, luxury retailer Nieman Marcus also admitted that malware on its systems had exposed 1.1 million payment cards to hackers.

Brian Krebs broke news pertaining to both of those hacks, and his sources within the payment processing industry have been reliable.

One of Krebs' anonymous sources expanded on the news of the probable Michaels hack to compare it to the previous retail break-ins: “What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers. One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”

If confirmed, this could be the second high-profile attack in recent years for Michaels. Reuters reports that in 2011, “hackers replaced some 84 PIN pads on payment-card terminals at a small number of its stores, resulting in the theft of about 94,000 payment card numbers.”

I can't wait for a better system to come along than just providing a secret set of numbers on a piece of plastic. Does anyone know if something is in the works? I imagine some sort of asymmetric key system like pgp where you can sign a transaction via a device and pay without ever exposing your private key to a third party.

Edit: I guess I just described bitcoin. It seems like the banking system could adopt something similar, that's not peer to peer.

Except for the part where the retailer ALREADY HAS the bulk of the liability. Fraudulent purchases are the retailer's problem, keeping secret 16 cleartext digits from a 1960's technology is their problem, giant blowups like this is the retailer's problem. The only party that has the authority to change the mechanism to be halfway as secure as "World of Warcraft" keygens is too big to be held responsible.

Maybe one of these retailers will care about protecting customer financial data when they have some degree of liability.

Haha, who am I kidding? This isn't the EU.

So far none have released enough data for us to conclude how good their protection and security was.

I would like to know if they had no security or ignored best practices. But for all we know their security was "10x better than anyone else" and they still got wacked. It's easy to sit on the outside and say "pile on my security idiots!" but it could be there really is no cost effective solution to the current system.

Except for the part where the retailer ALREADY HAS the bulk of the liability. Fraudulent purchases are the retailer's problem, keeping secret 16 cleartext digits from a 1960's technology is their problem, giant blowups like this is the retailer's problem. The only party that has the authority to change the mechanism to be halfway as secure as "World of Warcraft" keygens is too big to be held responsible.

The retailer who accepts the copied card has the liability, not the retailer who lets someone copy the card in the first place.

I can't wait for a better system to come along than just providing a secret set of numbers on a piece of plastic. Does anyone know if something is in the works? I imagine some sort of asymmetric key system like pgp where you can sign a transaction via a device and pay without ever exposing your private key to a third party.

Edit: I guess I just described bitcoin. It seems like the banking system could adopt something similar, that's not peer to peer.

YES! One could store the private key on the Card, maybe in a really tiny tamper-resistant Chip. It could then sign all transactions, directly on the card, the key would never even have to leave the chip. The PIN would also be sent encrypted to this chip (by the key pad), so no sniffing.

the trick is it is real easy to fool the card present/ not present function. at best it is a manual button normally though it just goes by the secret 3 digit security code. of which you are required to provide anyways.

The trick is the credit card processors do not believe that the $5 billion they lose annually due to fraud is worth trying to fix.

That is called capitalism. Just like JP morgan's 14 billion dollar fine is not only tax decidable but just the cost of doing business. No harm no foul, pay your fine and no big deal.

I can't wait for a better system to come along than just providing a secret set of numbers on a piece of plastic. Does anyone know if something is in the works? I imagine some sort of asymmetric key system like pgp where you can sign a transaction via a device and pay without ever exposing your private key to a third party.

Edit: I guess I just described bitcoin. It seems like the banking system could adopt something similar, that's not peer to peer.

YES! One could store the private key on the Card, maybe in a really tiny tamper-resistant Chip. It could then sign all transactions, directly on the card, the key would never even have to leave the chip. The PIN would also be sent encrypted to this chip (by the key pad), so no sniffing.

...

Oh, wait, I just described how Debit Cards already work...

My bank issued credit card can be used as a debit card and it had no chip. Entering a pin can be observed by a camera or shoulder surfing.

My bank issued card is a combination credit, debit, and ATM card. I arranged with the bank to turn off the credit and debit features, and use credit cards not directly associated with my bank account as a cut out. Then I pay those cards using my checking account.

Except for the part where the retailer ALREADY HAS the bulk of the liability. Fraudulent purchases are the retailer's problem, keeping secret 16 cleartext digits from a 1960's technology is their problem, giant blowups like this is the retailer's problem. The only party that has the authority to change the mechanism to be halfway as secure as "World of Warcraft" keygens is too big to be held responsible.

Wrong. The retailer that has a card USED at their location has liability. The source of the breach does NOT have financial liability.

I can't wait for a better system to come along than just providing a secret set of numbers on a piece of plastic. Does anyone know if something is in the works? I imagine some sort of asymmetric key system like pgp where you can sign a transaction via a device and pay without ever exposing your private key to a third party.

Edit: I guess I just described bitcoin. It seems like the banking system could adopt something similar, that's not peer to peer.

YES! One could store the private key on the Card, maybe in a really tiny tamper-resistant Chip. It could then sign all transactions, directly on the card, the key would never even have to leave the chip. The PIN would also be sent encrypted to this chip (by the key pad), so no sniffing.

...

Oh, wait, I just described how Debit Cards already work...

My bank issued credit card can be used as a debit card and it had no chip. Entering a pin can be observed by a camera or shoulder surfing.

My bank issued card is a combination credit, debit, and ATM card. I arranged with the bank to turn off the credit and debit features, and use credit cards not directly associated with my bank account as a cut out. Then I pay those cards using my checking account.

The above is the Chip and PIN system used in the EU. It is a lot more secure. That is not how PIN systems in the US are done. The US uses a static card number (on the stripe) plus a PIN. The PIN is used to encrypt a key chain within the hardware, and is only sent to the terminal in encrypted form.

At some point, you're going to see Visa and Mastercard tell a retailer to take a long walk off a short pier, and watch as the store collapses in a matter of days.

I don't think anyone "wins" in this situation. Target/Michaels/etc has to revamp security, which costs money, and cuts into their bottom line. They'll pass some of that cost onto the consumer, which will hurt us. The banks and credit card companies will have to issue new cards and/or increase their fraud protection, all of which costs money.

The only real solution to this problem has been in the works for some time -- a chip & pin system would have prevented this from happening. From what I understand, card issuers have until 2015 to begin issuing chip-compliant cards (in the US), and processing companies will likely start issuing readers to stores within the next year or so. It won't protect consumers from online fraud necessarily, but it will keep their card safe from this kind of attack.

The retailer who accepts the copied card has the liability, not the retailer who lets someone copy the card in the first place.

What exactly is their liability? I thought as long as they followed certain rules they were insulated too? Isn't that why they distinguish between "card present" and "card not present"?

Card Present / Not Present is used to determine the rate charged by the processing vendor. The line of thinking is that if the card is not present, it's more likely to be a fraudulent transation, so we charge more so we can still make money even when a chargeback occurs (ie, the money is returned) and we have to do paperwork.

And retailers are not insulated. There's a term in their processing contracts that makes them liable for all fraud that is processed by them. So the bank and the processor has no liability, and any retailer that is hacked ALSO has no liability.

At some point, you're going to see Visa and Mastercard tell a retailer to take a long walk off a short pier, and watch as the store collapses in a matter of days.

Not going to happen. You realize that they'd be sacrificing millions in fees per retailer, right? And since they don't bear any loss on fraud (but get fees from that too!) they have no incentive to fix the problem. The worst they will do is increase the processing fee for "bad" retailers, like they do now on Internet charges (look it up - the merchant fees for an online-only store are at least double what they charge a retail storefront with swipe reader).

Suggestion to the Ars team: with the number of card fraud articles that have been published, and with the likelihood of at least 2-3 more retailers making announcements, you might want to do a primer on payment systems. That way we can try to counter all the incorrect information here in the comments.

If a retailer is liable, then what is their punishment? A fine? Denied the ability to take credit cards as payment?

According to the PCI Data Security Standard, a retailer can be fined up to $500,000 USD per incident (but "incident" is never defined as per PAN or per breach) and could also be stripped of their ability to process card transactions.

If a retailer is liable, then what is their punishment? A fine? Denied the ability to take credit cards as payment?

According to the PCI Data Security Standard, a retailer can be fined up to $50,000 USD per incident (but "incident" is never defined as per PAN or per breach) and could also be stripped of their ability to process card transactions.

Has any retailer ever had this happen? I can't recall any.

I would also note that the PCI standard is a voluntary one, not a legal one, and there's an extensive array of "grandfather" clauses that cover most of the retailers we've heard about so far.

If a retailer is liable, then what is their punishment? A fine? Denied the ability to take credit cards as payment?

According to the PCI Data Security Standard, a retailer can be fined up to $50,000 USD per incident (but "incident" is never defined as per PAN or per breach) and could also be stripped of their ability to process card transactions.

Has any retailer ever had this happen? I can't recall any.

I would also note that the PCI standard is a voluntary one, not a legal one, and there's an extensive array of "grandfather" clauses that cover most of the retailers we've heard about so far.

EDIT: updated quote

It's voluntary if you don't mind getting nailed with daily non-compliance fines. But, to my knowledge, I haven't read any reports of merchants being fined. And, if they are, it's kept very quiet.

As for the grandfather clauses, those expire after a year or so. PCI sunsets older versions of the DSS so eventually you'll have to meet the requirements of the latest version of the standard when you reapply for compliance the following year.

I was in a Harbor Freight Tools store today, and saw a sign posted at the check out indicating that they too were looking into a potential credit card breach and had hired a 3rd party security firm to investigate. Could not locate anything on their website, but this could be worth looking into as another one of the companies hit.

I can't wait for a better system to come along than just providing a secret set of numbers on a piece of plastic. Does anyone know if something is in the works? I imagine some sort of asymmetric key system like pgp where you can sign a transaction via a device and pay without ever exposing your private key to a third party..

While there are still methods that can defeat it (like someone vandalizing an ATM and installing a piggy backed card reader), point to point encryption technology has been available for many years. These specialized readers use DUKPT cryptography (wiki it for more details) that encrypts the card data before it ever leaves the device using a unique key every time. It insures that the merchant's point of sale system will NEVER have access to the card data itself in an unencrypted form. This encrypted track data then gets decrypted at the payment processor.

There is no reason (and frankly no excuse) that this technology is not already widely deployed by now. A lot of the new mobile decide readers are using it. We used it on our iPad kiosks systems we developed; since I was responsible for the security of the system, it actually allowed me to sleep at night.

About a month ago I made a purchase at Michaels for the first time in 12 months. And of course it was with my credit card with rewards which, ironically, has been compromised once every year for the past two years. Again, in a double irony, this card has been the only one to mark purchases as suspicious and lock down the card, yet never for an actual fraudulent charge. They also charge me $10 to replace the card in the event it's compromised, which is more than my purchase at Michaels.

*shrug* As of Jan 24 nothing odd has popped up on my card. I couldn't find any potential date ranges within the linked articles via a quick skimming, just "recently used"; anyone have any idea at what timeframe that the cards were compromised? It does mention that the fraudulent purchases were made at Big Box retailers like Best Buy over the past two days.

It'll be interesting to see how this pans out relative to the Target breach.

Despite my security stance, I was the victim of a $200 charge on my credit card before Christmas, it bugs me a lit that I don't know the source of thru breech. I don't shop at target or Neiman-Marcus, and I know I was in a Michaels store back in the fall, looking for wedding stuff with my now wife, but I don't think we bought anything...

Why do brick n' mortar retailers even keep this info? Charge the CC for the purchase -- erase it off your system.

Could be a variety of reasons, including needing to keep proper books or receipts or for fraud-protection reasons, etc... I know back in the day when I had a retail job it was possible to call up old receipts by the card number, if the customer still had the same card we could do a warranty return or replacement. Keeping records is *generally* a good idea. Also, even 'b&m' stores use fully computerised systems - they're not that different operationally to online stores, as far as handling purchases is concerned - it's just a different interface to the customer.

Like the metric system, the US will end up being the only one using a (insert your adjective) system. This profit-at-all-cost inertia is holding you back in surprising ways, internet access speed is not the least of them.

Just curious to know why the Secret Service is investigating this? Is it because they're part of the Treasury Department?

Because the protection detail (Presidential and otherwise) is a relatively small part of the Secret Services mission (http://en.wikipedia.org/wiki/United_Sta ... vice#Roles). Their primary investigative mission is to "safeguard the financial system" hence they cover fraud such as this as well as counterfeiting and most bank robberies (In cooperation with local authorities). Also after 9-11 they were expanded to cover Electronic crimes as part of the patriot act.

a) I don't have a Debit Card, so ... it wasn't my money stolen.b) I don't use my ATM card outside of a bank, so my risk of having the data stolen is slightly lesser - though not 100% less.c) In the USA, credit card laws protect the end-user against fraud provided it is reported in a "timely" way. Usually that is within 60 days. The thieves are not using my money, so I don't have to beg to get it back. While any charges are "in dispute", I don't have to pay the bill for those charges. If I lose the dispute, then late fees apply.

EMV cards aren't really accepted any where in the USA. I have one and have never used it here in that mode. We are still using the old magnetic swipe and signature. Parts of the world have stopped accepting this mode. I've had my non-EMV cards refused a few times, but never in tourist areas. It is embarrassing to take a group out to an "authentic Turkish restaurant" and then not be able to pay the bill because the restaurand will not accept non-EMV cards. The waiter, head-waiter, manager just stood there looking stupid and tried over and over to put the card in the wrong slot. I think they wanted cash, which I didn't have in that amount. I showed them how to swipe the card, but that transaction failed too.

There has always been some amount of fraud with all card transactions. The card providers eat those costs because they are making so very much money for so very little real work.

The USA had an October 2014 deadline for EMV readers at all retailers set by ... I guess ... Visa, Mastercard and Europay. That date has been moved to 2015, but I doubt that will be met. See with EMV comes changes in who is liable for fraudulent charges. If the correct PIN is entered, then the end-consumer is liable. If the retainer doesn't have an EMV reader, the liability is theirs. In the USA, the end-consumer is protected by a federal law for $50 of fraud, but I've never heard of anyone even paying that. That law is not gonna change, so in the USA, the fraud liability will shift to the vendor away from the bank/visa folks. I understand the liability shift was tried in the UK too, but a law was put in place to limit it to 50lbs (sorry, don't have that key handy). It is amazing to me that the rest of the world hasn't done the same things with their laws to protect end-consumers?

Read more about the Implementation dates for different countries/regions https://en.wikipedia.org/wiki/EMV#EMV_ImplementationI travel overseas more than most - hit 10 countries last year - some didn't care about EMV at all and others required it. 1 shop tried to use it, but the transaction was rejected, so my non-EMV Amex got used. Not thrilled about that because the Amex overseas transaction charges are much higher for me.